Please note: as of NSX 6.2.3, the NSX Data Security feature has been deprecated. In NSX 6.2.3, you can continue to use this feature at your discretion, but be aware that this feature will be removed from NSX in a future release. Official communication available on the release notes for the (now pulled) NSX 6.2.3 Deprecated section
Recently a customer asked me if it was possible on NSX Data Security to have a custom violation pattern when scanning VMs.Actually I never even thought about that simply because Laws, Privacy and Security Regulations are very much standardised and have very specific patterns defined by governments all around the world. VMware Data Security supports PCI, PHI, and PII related regulations only and here you can see the complete list https://pubs.vmware.com/NSX-62/topic/com.vmware.nsx.reference.doc/GUID-1F4C32A8-9EA4-4F82-924C-D88323E3CF25.html
Now back to the question: is it possible to have a custom violation pattern? The answer is yes! However it’s not available using the Web Client instead you have to create it via API, and it leverages Regular Expression (aka RegEx). There isn’t a lot of documentation out there so I’m sharing my discovery here given I spent some time figuring this out 🙂
- Creating regular Expressions from NSX Administration Guide
- Configure a Customized Regex as a Classification Value from nsx_62_api.pdf here’s a screenshot
DID YOU KNOW IT? As you can see the endpoint URL has a dlp and in case you didn’t know it’s an RSA product called Data Loss Prevention suite which RSA is dropping (see this link) which is why VMware has deprecated this module.
The regulation that we are going to use for this it’s called “Custom Account Numbers” and what we’re going to do in the next steps is to customise the content blade assigned to this regulation.
Get the list of regulation to find out the id
The full XML response you get back is the following
<Regulation> <revision>0</revision> <name>Custom Account Numbers</name> <description>Identifies documents and transmissions that contains identification or account numbers custom to your organisation. This policy requires customization of the Custom Accounts content blade. </description> <clientHandle/> <isUniversal>false</isUniversal> <universalRevision>0</universalRevision> <id>52</id> <classifications> <Classification> <id>20</id> <name>Custom Accounts</name> <providerName>Custom Accounts</providerName> <description>Custom Accounts</description> <customizable>true</customizable> </Classification> </classifications> <regions>ALL</regions> <categories> <string>PII</string> </categories> </Regulation>
So we know that the Regulation ID = 52 and the Classification ID = 20
Get the classification value
So we know the classificationValue ID = 3
Configure custom RegEx for a Classification Value
I’m going to make a very simple RegEx formatted as following:
This will match any string like vlab-001-prod01 for instance, could be a hostname or whatever you want it to be really, you can play with this good online RegEx parser 🙂
Using a PUT https://NSX-Manager-IP-Address/api/2.0/dlp/policy/classificationvalues we can store this pattern inside the classificationValue, as following
Check it has been saved by doing another GET to https://NSX-Manager-IP-Address/api/2.0/dlp/classificationvalue
Configure a policy to use the custom regulation
From Data Security > Manage > click Edit under Regulation
Click All and type Custom on the search box. Select it and Next
Our predefined RegEx pattern will appear (I haven’t tried but I think you could also edit it from there) click Finish and Publish Changes
Create a file that violates the regulation
See the screenshot, I have created a file with the following text
Start a new Scan and wait for it to complete
Check the scan results
From Monitor > Reports and here we go!
Hope this was helpful, even though this module of NSX is going to disappear soon there may be companies out there still interested!